Search For ssl

Firefox Add-ons for Web Developers

Advanced Web Development by AskApache is a Firefox Collection I created since I’m always trying new Addons out and using multiple computers and I wanted a quick and easy way to install my favorite’s and keep a running list. Firebug, YSlow, LastPass, and Web Developer are the only ones I always use regularly.

I like the idea of the last.fm but it’s not as powerful as the site, which is awesome. Lately listening to Kings of Leon Radio…

Tagged: askapache, Firebug, Firefox, Firefox Addons, Web Development, webdev, YSlow | 4 Comments | Continue...

---

---

---

Advanced WordPress wp-config.php Tweaks

The bottom line for this article is that I want to make WordPress as fast, secure, and easy to install, run, and manage because I am using it more and more for client production sites, I will work for days in order to solve an issue so that I never have to spend time on that issue again. Time is money in this industry and that is ultimately (time) what there is to gain by tweaking WordPress.

Note: I spent no time on readability, this is primarily a read the code and figure it out article.. This is for advanced users looking for a reference or discussion and for those of you looking to advance. Feedback would be great if you make it that far..

Tagged: admin, advanced, Cookies, debugging, htaccess, mod_rewrite, PHP, phpinfo, WordPress, wp-config.php | 4 Comments | Continue...

---

Crazy Advanced Mod_Rewrite Tutorial

Note: Extremely ILL Content
Find the key to unlocking mod_rewrite and you WILL be sick.. sick with a diamond disease on your wrist!

Tagged: advanced, askapache, cheatsheet, howto, htaccess, htaccess rewrite, mod_rewrite, tutorial | 19 Comments | Continue...

---

An AskApache Plugin Upgrade to Rule them All

So my blog as been rather quiet for almost a year now, and very few updates if any have been released for my Password Protection PLugin, my Google 404 Plugin, and definately not for my AskApache CrazyCache plugin, which I will be releasing last… So for all of you who’ve helped me out by sending me suggestions and notifying me of errors and sticking with it… Just wanted to say sorry about that, and thanks for all the great ideas.. Well, I’ve been sticking with it as well believe it our not. I manage to get free days once in a while, and then its time to jam.

Tagged: AskApache Google 404, AskApache Password Protection, Fsockopen, WordPress Plugins, wordpress security | 1 Comment | Continue...

---

The Right to Read

The proponents of this scheme have given it names such as “trusted computing” and “palladium”. We call it “treacherous computing”, because the effect is to make your computer obey companies instead of you. This was implemented in 2007 as part of Windows Vista; we expect Apple to do something similar. In this scheme, it is the manufacturer that keeps the secret code, but the FBI would have little trouble getting it.

4 Comments | Continue...

---

DNS Round Robin Configuration using Rsync over SSH

The goal is to add the HostGator server to be an exact mirror of the static.askapache.com domain, then to add that server as a 2nd A record to my DNS zone. That way half the visitors to the size will be taking up resources and bandwidth on the HostGator server instead of mine.

Round Robin A records in DNS are intended to evenly distribute queries between each host of the same name. Using some tricks straight out of a hackers toolbox we can verify if the distribution is taking place. (It is.)

Tagged: DNS, DreamHost, HostGator, Powweb, Round Robin, rsync, ssh | 4 Comments | Continue...

---

Advanced Htaccess – SSI, ErrorDocuments, DirectoryIndexing SEO

3-Part article covering practical implementation of 3 advanced .htaccess features. Discover an easy way to boost your SEO the AskApache way (focus on visitors), a tip you might keep and use for life. Get some cool security tricks to use against spammers, crackers, and other nefarious sorts. Take your site’s error handling to the next level, enhanced ErrorDocuments that go beyond 404’s.

Tagged: Apache Htaccess, errordocument, htaccess, htaccess rewrite, mod_include, Server Side Includes, SSI, SymLinks | 1 Comment | Continue...

---

Password Protection Plugin Status

Enumerating Permissions can be Annoying

Don’t ask me how because I won’t tell you, but on one of the hosts I was testing on that did not allow direct access I was able to get the Apache server running as dhapache to erroneously write a file into my users blog directory. This is a big security no-no and I now have my .htaccess file written into the blog directory where it should go, but instead of my php script’s user having write access to the file so I can modify it, its owned by dhapache! Because the file is owned by dhapache I shouldn’t even be allowed to know it exists, but there it is. So the next step was to try and take ownership of the .htaccess file so that I could modify it. I tried and tried but was unsuccessful, I couldn’t modify it so that was another dead end. Actually it took me awhile to figure out how to remove the file from my directory. Being that it was owned by dhapache I couldn’t delete or modify it using my php process or even through ftp/ssh! Sysadmins regularly run find commands that search the servers for any files owned by dhapache that should not be there as this is a big red flag that someone has found a way to manipulate dhapache which could potentially lead to modifying dhapache-owned server config files, which sometimes is all it takes to hack your website and server.. Luckily I was able to delete it by basically running the hack again to overwrite the file.

Tagged: .htaccess plugin, Apache, askapache, htaccess, password protection, Security, WordPress | 2 Comments | Continue...

---

Ultimate Htaccess Tutorial for .htaccess files

This is not an introduction to .htaccess… This is the evolution of .htaccess… The BEST, the ORIGINAL, the NEWEST, and the most HIGHEST, FLYEST .htaccess tricks I can find.

Originally known as the “Ultimate .htaccess Guide”, its changed over the years by adding new .htaccess tricks and .htaccess examples to it.. I also add my favorite .htaccess links, the best .htaccess articles on AskApache, the coolest .htaccess experiments, the Web’s best .htaccess hacks, and update this article on the regular.

Tagged: .htaccess examples, Apache, Cache, caching, Files, FilesMatch, Google, Hacking, howto, htaccess, htaccess guide, htaccess help, htaccess howto, htaccess rewrite, htaccess tricks, htaccess tutorial, httpd, litespeed, mod_rewrite, Mod_Security, rewritecond, rewriterule, sample .htaccess, Security, SEO, seo secrets, SetEnvIf, ssl, ultimate htaccess | 56 Comments | Continue...

---

Advanced .htaccess Tricks for Securing Sites

This is all new, experimental, and very very cool. It literally uses .htaccess techniques to create several virtual “locked gates” that require a specific key to unlock, in a specific order that cannot be bypassed. It uses whitelisting .htaccess tricks to specify exactly what is allowed, instead of trying to specify everything that isn’t allowed. Also, by setting specific cookies/tokens after successfully passing through a gate, we can then require the exact cookie/token from the previous gate, which stops an attacker from skipping or bypassing gates.

Tagged: advanced, Hacking, htaccess, mod_rewrite, phpBB, Security, ssl | 7 Comments | Continue...

---

.htaccess Plugin Blocks Spam, Hackers, and Password Protects Blog

Well what can I say, other than this is sooo DOPE! Here is a list of the modules this plugin (version 4.7 unreleased) will automatically detect. I compiled the list myself using every module included with any default Apache installation for ALL the versions listed below, 1.3 to 2.2+

Want to know something else I’m including in this plugin? For each and every module that is detected, this plugin can then detect ALL of the modules .htaccess Directives! For instance, RewriteRule, AccessFileName, AddHandler, etc.. are each a directive belonging to a module that is allowed to be used from within .htaccess files.

Talk about sick.. these tricks have the diamond disease!

Tagged: Hacking, htaccess, htaccess rewrites, mod_rewrite, Security | 38 Comments | Continue...

---

Optimize a Website for Speed, Security, and Easy Management

Learn how to setup, configure, secure, optimize, and create a low-maintenance website the AskApache way. I’m piecing together all the hacks, tricks, methods, and ideas discussed throughout this blog and all across Netdom and glueing them all together to show you how to have the most optimized, crazy fastest, and best website setup I can think of.

Tagged: Apache, Cache, compression, hosting, htaccess, optimization, Security, server | 5 Comments | Continue...

---

Top 3 Speed Tips for Sites using Google Analytics

Top 3 ways to speed up websites that use Google Analytics. Host Script Locally, Fix Google-Analytics Cookie Domain, and Failsafe Loading for optimum tracking statistics.

Tagged: Analytics, cookie, Google, Google Analytics, Javascript, Tracking Code | 9 Comments | Continue...

---

COMPUTER SECURITY TOOLBOX

List of mainly obscure security software geared more for the master pentester. These are mostly for unix, bsd, and mac and many are difficult to install and setup (require custom servers, inside access points, obscure libraries). Only programs that output data are included, so no actual exploits or anything. Most of these output extremely useful albeit extremely technical information.

3 Comments | Continue...

---

Mod_Rewrite Variables Cheatsheet

We’ve figured out what mod_rewrite variables look like, a cheatsheet of the actual value.

Tagged: cheatsheet, htaccess, mod_rewrite, mod_rewrite cheatsheet, rewritecond, rewriterule | 4 Comments | Continue...

---

Notes from Apache HTTPD Source Code

thought I’d take a break from coding and post about how open-source is such a great tool for finding the best answers to the toughest questions,

/** is the status code informational */
#define ap_is_HTTP_INFO(x)         (((x) >= 100)&&((x) < 200))
/** is the status code OK ?*/
 
#define ap_is_HTTP_SUCCESS(x)      (((x) >= 200)&&((x) < 300))
/** is the status code a redirect */
#define ap_is_HTTP_REDIRECT(x)     (((x) >= 300)&&((x) < 400))
 
/** is the status code a error (client or server) */
#define ap_is_HTTP_ERROR(x)        (((x) >= 400)&&((x) < 600))
/** is the status code a client error  */
 
#define ap_is_HTTP_CLIENT_ERROR(x) (((x) >= 400)&&((x) < 500))
/** is the status code a server error  */
#define ap_is_HTTP_SERVER_ERROR(x) (((x) >= 500)&&((x) < 600))
 
/** is the status code a (potentially) valid response code?  */
#define ap_is_HTTP_VALID_RESPONSE(x) (((x) >= 100)&&((x) < 600))

Tagged: httpd.conf, source code | Continue...

---

Preloading .flv and .mp3 files with Flash

If you want to pre-load .flv / .mp3 files into a visitors browser cache using flash, here’s the actionscript I use to do it, and some ideas behind a good javascript implementation using swfobject or ufo.

Tagged: actionscript, htaccess, Javascript, preloading | 9 Comments | Continue...

---

Fsockopen Power Plays

PHP’s fsockopen function lets you open an Internet or Unix domain socket connection for connecting to a resource, and is one of the most powerful functions available in the php language.

Tagged: Cache, Fsockopen, Hacking, HTTO, linux, Networking, Performance, PHP, Pipelining, Socket | 3 Comments | Continue...

---

Securing php.ini and php.cgi with .htaccess

If you have a php.cgi or php.ini file in your /cgi-bin/ directory or other pub directory, try requesting them from your web browser. If your php.ini shows up or worse you are able to execute your php cgi, you’ll need to secure it ASAP. This shows several ways to secure these files, and other interpreters like perl, fastCGI, bash, csh, etc.

Tagged: htaccess | 2 Comments | Continue...

---

Upgrading to DreamHost Private Servers

DreamHost PS gives you your own “virtual machine”, protecting your CPU and RAM on your physical machine for faster websites. Here’s what I like and dislike about DreamHostPS, and some of the issues and solutions for migrating.

14 Comments | Continue...

---

Smart HTTP and HTTPS .htaccess Rewrite

This is freaking sweet if you use SSL I promise you! Basically instead of having to check for HTTPS using a RewriteCond %{HTTPS} =on for every redirect that can be either HTTP or HTTPS, I set an environment variable once with the value “http” or “https” if HTTP or HTTPS is being used for that request, and use that env variable in the RewriteRule.

Tagged: htaccess, htaccess rewrite, HTTPS, mod_rewrite, ssl | 13 Comments | Continue...

---

Mod_Security .htaccess tricks

Mod_Security rivals Mod_Rewrite in the amount of features it provides. I decided to go ahead and post what I learned about it today, even though its tough to give away such awesome htaccess and apache tricks.. Learn how to control spam once and for all, conditionally log/deny/allow/redirect requests based on IP, username, etc.. Mod_Security is so fine!

Tagged: Hacking, htaccess, Mod_Security, Security | 8 Comments | Continue...

---

.Htaccess rewrites, Mod_Rewrite Tricks and Tips

htaccess rewrite / Mod_Rewrite Tips and Tricks is as glamorous as it sounds! htaccess rewrite mod_rewrite is just possibly one of the most useful Apache modules and features. The ability to rewrite requests internally as well as externally is extremely powerful.

Tagged: htaccess, htaccess rewrite, mod_rewrite, Redirecting URLS, rewrite, Rewrite Tricks, rewritecond, rewriterule | 57 Comments | Continue...

---

Apache SSL in htaccess examples

SSLOptions +StrictRequire
SSLRequireSSL
SSLRequire %{HTTP_HOST} eq "google.com"
ErrorDocument 403 https://google.com

Some of the Ins and Outs of using SSL Connections with Apache.

Tagged: apache ssl | 9 Comments | Continue...

---

PHP Sessions/Cookies On The Fly

This article shows how to save and modify php session data, cookies, do anything really… without using ajax or iframes or forcing the user make a request.

Tagged: Cookies, PHP, Sessions | 2 Comments | Continue...

---

Update: AskApache Password Protect Plugin

WordPress plugin gives you control over HTTP Basic Authentication for your WordPress blog which among other things, stops most automated hacking attempts and exploits being attempted, cutting down on the number of requests, connections, and mysql queries for all WordPress blogs on the Internet.

14 Comments | Continue...

---

Advanced WordPress 404.php

For the AskApache Google 404 WordPress Plugin update I added a new 404.php that is more advanced than anything previously seen for a 404.php

Continue...

---

Hackers Declare Total War against Scientology

For the good of your followers,
for the good of mankind,
and for our own enjoyment,
we shall proceed to expel you from the Internet and systematically dismantle the Church of Scientology in its present form.

4 Comments | Continue...

---

Fetch Feed Subscribers from Google Reader with CURL

PHP curl example utilizing cookies, POST, and SSL options to login to Google Reader and fetch the number of subscribers for a particular feed url.

2 Comments | Continue...

---

Redirecting RSS to Feedburner

FeedBurner is so RAD! I love it. Here’s an alternative method to redirect scrapers and feed requests to your feedburner url, in my case, I use Branding by feedburner, which is so hot, taking advantage of CNAMEs in your DNS record.

Tagged: FeedBurner, htaccess, Redirect, rewrite, WordPress | 7 Comments | Continue...

---

SetEnvIf and SetEnvIfNoCase Examples

SetEnv, SetEnvIf, and SetEnvIfNoCase directives conditionally set environment variables accessible by scripts and apache based on HTTP Headers, Variables, and Request information.

Tagged: Examples, htaccess, mod_rewrite, mod_setenvif, SetEnv, SetEnvIf | 4 Comments | Continue...

---

HTTP Status Codes and .htaccess ErrorDocuments

There are a total of 57 HTTP Status Codes recognized by the Apache Web Server. Wouldn’t you like to see what all those headers and their output, ErrorDocuments look like?

Tagged: Apache, errordocument, htaccess, HTTP Error, HTTP Status Codes, PHP, Redirect, Status Code | 19 Comments | Continue...

---

WordPress Plugin for Apache .htaccess Security

1. gzip’s previous .htaccess file and sends it as an attachment to the logged in users email account along with password user setup.
2. Now also works for sites running on SSL (PHP version >4.3.0)
3. Rewrote the security module code in the form of snort, nessus, and mod_security rules and signatures
4. Added a *real* check to see if mod_rewrite is installed
5. Added Modules that remove directoryindexes
6. Much more on the way..

1 Comment | Continue...

---

The Latest and Greatest php.ini

Grab the latest php.ini developmental version and discover new or previously hidden php runtime configuration settings… ahead of everyone else!

Continue...

---

Apache Directives and Modules on DreamHost

Apache .htaccess Directives and Loaded Modules allowed on DreamHost Apache Server 2 Setups.

Continue...

---

Pen-testing Security Tools

While testing the exploitability of your target and mapping out vulnerabilities it is important to gain access inside the targets defenses so that you can establish an internal foothold like a owned box or switch. This is so you can use a tool to discover the packet-filtering being used, and literally map out the firewall/IDS rules. Needless to say that really provides you with a lot more complete vulnerability assessment to help discover more weak spots in the system.

1 Comment | Continue...

---

Request Method Security Scanner

Also See: 27 Request Methods and HTTP Status Codes.
GET
The GET method indicates that the script should produce a document based on the meta-variable values. By convention, the GET method is ’safe’ and ‘idempotent’ and SHOULD NOT have the significance of taking an action other than producing a document.
The meaning of the GET method may be modified and refined by protocol-specific meta-variables.
POST
The POST method is used to request the script perform processing and produce a document based on the data in the request message-body, in addition to meta-variable values. A common use is form submission in HTML [18], intended to initiate processing by the script that has a permanent affect, such a change in a database.
The script MUST check the value of the CONTENT_LENGTH variable before reading the attached message-body, and SHOULD check the CONTENT_TYPE value before processing it.
HEAD
The HEAD method requests the script to do sufficient processing to return the response header fields, without providing a response message-body. The script MUST NOT provide a response message-body for a HEAD request. If it does, then the server MUST discard the message-body when reading the response from the script.
OPTIONS
The OPTIONS method represents a request for information about the communication options available on the request/response chain identified by the Request-URI. This method allows the client to determine the options and/or requirements associated with a resource, or the capabilities of a server, without implying a resource action or initiating a resource retrieval.
Responses to this method are not cacheable.
If the OPTIONS request includes an entity-body (as indicated by the presence of Content-Length or Transfer-Encoding), then the media type MUST be indicated by a Content-Type field. Although this specification does not define any use for such a body, future extensions to HTTP might use the OPTIONS body to make more detailed queries…

1 Comment | Continue...

---

SEO with Robots.txt

Very nice tutorial dealing with the robots.txt file. Shows examples for google and other search engines. Wordpress robots.txt and phpBB robots.txt sample files.

13 Comments | Continue...

---

.htpasswd file Generator

.htpasswd is a flat-file used by Apache and other applications to store usernames and password for HTTP authentication. Apache .htpasswd files may contain multiple types of passwords; some may have MD5-encrypted passwords while others in the same file may have passwords encrypted with crypt(3) and/or SHA-1. Usernames are limited to 255 bytes and may not include the character :.
Htpasswd Formats
Apache Servers recognize 4 formats for representing a password hash in the text file usually named .htpasswd.

CRYPT
crypt(3) is the library function which is used to compute a password hash. Technically the name is a misnomer since it is actually a cryptographic hash function. The output of the function is not merely the hash: it is a text string which also encodes the salt and identifies the hash algorithm used. Apache uses the traditional Unix crypt function with a randomly-generated 32-bit salt (only 12 bits used) and the first 8 characters of the password. ALG_CRYPT
MD5
MD5 is one in a series of message digest algorithms designed by Professor Ronald Rivest of MIT. The 128-bit (16-byte) MD5 hashes (also termed message digests) are typically represented as a sequence of 32 hexadecimal digits. In .htpasswd files the hash is: $apr1$ + an Apache-specific algorithm using an iterated (1,000 times) MD5 digest of various combinations of a random 32-bit salt and the password. ALG_APMD5
SHA-1
The SHA hash functions are a set of cryptographic hash functions designed by the National Security Agency (NSA) and published by the NIST as a U.S. Federal Information Processing Standard. SHA-1 produces a 160-bit digest from a message with a maximum length of (264 − 1) bits. SHA-1 is the most widely employed of the SHA family. It forms part of several widely used security applications and protocols, including TLS and SSL, PGP, SSH,…

Continue...

---

View Detailed HTTP Headers

HTTP Headers

HTTP Header Name
Header Description
Example HTTP Header

Accept
Content-Types that are acceptable
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5

Accept-Charset
Character sets that are acceptable
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7

Accept-Encoding
Acceptable encodings
Accept-Encoding: gzip,deflate

Accept-Language
Acceptable languages for response
Accept-Language: en-us,en

Accept-Ranges
What partial content range types this server supports
Accept-Ranges: bytes

Age
The age the object has been in a proxy cache in seconds
Age: 7200

Allow
Valid actions for a specified resource. To be used for a 405 Method not allowed
Allow: GET,HEAD,POST,OPTIONS,TRACE

Authorization
Authentication credentials for HTTP authentication
Authorization: Basic UXNrYXBhggRfoopc5NteWFzcw==

Cache-Control
Controls how proxies may cache this object
Cache-Control: max-age=7200, public

Connection
What type of connection the user-agent would prefer
Connection: Keep-Alive

Content-Encoding
The type of encoding used on the data
Content-Encoding: gzip

Content-Language
The language the content is in
Content-Language: en-us

Content-Length
The length of the content in bytes
Content-Length: 5356

Content-Location
An alternate location for the returned data
Content-Location: /index.html

Content-MD5
An MD5 sum of the content of the response
Content-MD5: 1167b9c13ad2b6d3694493fc47976c8

Content-Range
Where in a full body message this partial message belongs
Content-Range: bytes 110-2034/2035

Content-Type
The mime type of this content
Content-Type: text/html; charset=UTF-8

Date
The date and time that the message was sent
Date: Sat, 05 Jan 2008 09:27:35 GMT

Host
The domain name of the server (for virtual hosting)
Host: www.askapache.com

If-Modified-Since
Allows a 304 Not Modified to be returned
If-Modified-Since: Sat, 05 Jan 2007 09:26:12 GMT

Last-Modified
The last modified date for the requested object
Last-Modified: Sat, 05 Jan 2008 09:26:12 GMT

Location
Used in redirection
Location: http://www.askapache.com/

Server
A name for the server
Server: Apache/2.0.61 (Unix) PHP/4.4.7 mod_ssl/2.0.61 OpenSSL/0.9.7e mod_fastcgi/2.4.2 DAV/2 SVN/1.4.2

User-Agent
The user agent string of the user agent
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.7) Gecko/20070914 Firefox/2.0.0.7

List of HTTP Response Status Codes
1xx Info / Informational
HTTP_INFO – Request received, continuing process.
Indicates a provisional response, consisting only of the Status-Line and optional headers, and is terminated by an empty line.

100 Continue – HTTP_CONTINUE
101 Switching Protocols – HTTP_SWITCHING_PROTOCOLS
102 Processing – HTTP_PROCESSING

2xx Success / OK
HTTP_SUCCESS – The action was successfully received, understood, and accepted.
Indicates that the client’s request was successfully received, understood, and accepted.

200 OK – HTTP_OK
201 Created – HTTP_CREATED
202 Accepted – HTTP_ACCEPTED
203 Non-Authoritative Information – HTTP_NON_AUTHORITATIVE
204 No Content – HTTP_NO_CONTENT
205 Reset Content – HTTP_RESET_CONTENT
206 Partial…

4 Comments | Continue...

---